Using Our Bodies As ID: Should We Be Worried?

02/06/2017 17:00
alexey_boldin via Getty Images

Personal information is a valuable commodity, so it's no surprise that cybercriminals seek different ways to get their hands on it. This includes targeting online providers in the hope of bulk-stealing sensitive data in a single attack. But it also includes tricking individuals into disclosing personal data or trying to guess the credentials they use to log in to online accounts. If we use weak, easy-to-guess passwords, we make their job much easier.

You can limit the damage of a security breach at an online provider by ensuring that you choose passwords that are unique and complex: an ideal password is at least fifteen characters long and consists of a mixture of letters, numbers and symbols from the entire keyboard. Alternatively, you can use a password manager application to handle all of this for you automatically. Or you can mix and match both approaches across different accounts.

Unfortunately, all too often people use easy-to-guess passwords and re-use the same password for multiple online accounts - so that if the password for one is compromised, all of the victim's online IDs are vulnerable. This issue was highlighted publicly in May 2016 when a hacker known as 'Peace' attempted to sell 117 million LinkedIn e-mails and passwords that had been stolen some years earlier. More than one million of the stolen passwords were '123456'!

Passwords shouldn't be the only thing we use to authenticate. Many online providers offer two-factor authentication - i.e. requiring customers to enter a code generated by a hardware token or one sent to a mobile device, to access a site, or at least to make changes to account settings. Two-factor authentication certainly enhances security, but only if people choose to take advantage of it.

However an increasing number of people believe that we should replace passwords altogether. Apple allows fingerprint authorisation for iTunes purchases and payments using Apple Pay. Samsung has said it will introduce fingerprint, voice and iris recognition for Samsung Pay. Amazon has announced 'selfie-pay' and MasterCard and HSBC have announced the introduction of facial and voice recognition to authorise transactions.

The parts of us that can be used to confirm our identity include face, eyes, ears, fingerprints, veins and heartbeat. Technology translates this into binary data and uses it to confirm a match and thereby verify who we are.

Fingerprints are probably the most well-known biometric identifier. Apple was an early adopter of this technology, embedding a fingerprint sensor into the home button of its iPhone 5S. Notwithstanding the fact that it was quickly demonstrated that the technology could be compromised, Touch ID marked a step up in security for many people using the iPhone who had previously not taken the trouble to secure it at all.

Eyes are another biometric used by some companies for identification. The scanning of the iris has now largely taken over from retina scanning (using the pattern of veins in the back of the eye). Both retina and iris are unique to each individual and don't change over time. Iris recognition is used on some smartphones, including the Samsung Galaxy Note7, a few Lumia Windows and Fujitsu phones, and some iOS devices. However, in 2015, a German hacker claimed to have successfully spoofed iris recognition technology by extracting the iris data from an online picture of the German Chancellor, Angela Merkel.

The heart's activity and the electrical signals it generates are distinct and very difficult to replicate, so it's little wonder that a number of products are focusing on our heartbeat as a way of identifying us - using a wristband, for example, to measure the unique electrical impulses generated by your heartbeat.

Voice recognition is already widely used in financial services, mainly alongside other methods of authentication. It is a sophisticated, complex process that involves analysing many characteristics and patterns, including intonation, natural speech defects, word order and more, and then comparing them with each other.

Biometric markers are ideal for use as identifiers because they are unique and unchanging over time. But that also makes them very vulnerable. If these identifiers are compromised, the potential consequences for victims in terms of loss of privacy and security are severe. If my password is compromised I can change it, but I'm stuck with my fingerprints, eyes and other physical characteristics.

It's clear that the use of biometrics is not a security panacea, biometric data can be spoofed or stolen. I believe that biometrics should be used to confirm our identity (i.e. used in place of a username), with a password or other mechanism - or ideally more than one used to confirm that identity. After all, if I choose a poor password and it is compromised, I can change it: if my fingerprint is compromised, there's nothing I can do about it.